Hi Hector,
LF Edge Measured Boot and Remote Attestation document is a good picture of what
we are trying to do:
https://wiki.lfedge.org/spaces/flyingpdf/pdfpageexport.action?pageId=27722830
While our specific setup uses some non standard stuff like iso boot,
please find a simple setup to reproduce this.
1. Enable Secure Boot in Bios if using a PC with TPM or use a Virtual machine
with vtpm and Secure boot:
<tpm model="tpm-crb">
<backend type="emulator" version="2.0"/>
<alias name="tpm0"/>
</tpm>
<os firmware="efi">
<type arch="x86_64" machine="pc-q35-8.2">hvm</type>
<firmware>
<feature enabled="yes" name="enrolled-keys"/>
<feature enabled="yes" name="secure-boot"/>
</firmware>
<loader readonly="yes" secure="yes"
type="pflash">/usr/share/OVMF/OVMF_CODE_4M.ms.fd</loader>
<nvram
template="/usr/share/OVMF/OVMF_VARS_4M.ms.fd">/var/lib/libvirt/qemu/nvram/ubuntu24.04_VARS.fd</nvram>
<boot dev="hd"/>
</os>
2. Install ubuntu 22.04. The default 5.15 kernel does not perform kernel
module integrity measurements as seen from
/sys/kernel/security/ima/ascii_runtime_measurements. Install hwe kernel
package ( linux-image-generic-hwe-22.04 ) to upgrade to 6.15 where the
kernel module integrity is checked as well. I see some minor build flags
changed between the two for CONFIG_IMA and CONFIG_INTEGRITY. But, at
this step, PCR10 changes on every reboot.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2068627
Title:
IMA Hashes keep changing on every reboot (PCR10)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2068627/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
